Some home automation systems are rife with holes, security experts say

Trustwave researchers will reveal vulnerabilities in home automation gateways and other network-controlled products at Black Hat

A variety of network-controlled home automation devices lack basic security controls, making it possible for attackers to access their sensitive functions, often from the Internet, according to researchers from security firm Trustwave.

Some of these devices are used to control door locks, surveillance cameras, alarm systems, lights and other sensitive systems.

The Trustwave researchers plan to discuss vulnerabilities they discovered in several such products during a presentation Thursday at the Black Hat USA security conference in Las Vegas.

One of the more interesting devices they tested was a home automation gateway system called VeraLite that's manufactured by a Hong Kong-based company called Mi Casa Verde.

The VeraLite is an embedded device that sits on a home network and can be used to control other systems connected to it. It can manage as many as 70 devices at once and is equipped to work with 750 smart systems, including lights, thermostats, surveillance cameras, alarm systems, door locks, window blinds and HVAC (heating, ventilation, and air conditioning) systems.

In its default configuration VeraLite doesn't require a username and password, so if the owner doesn't set one up intentionally, the device can be accessed and controlled by anyone from the local network, said Daniel Crowley, a security researcher at Trustwave.

Even if the device owner does create a username and password, the device can still be controlled using the Universal Plug and Play (UPnP) protocol, which doesn't have built-in support for authentication, Crowley said. You can write your own UPnP authentication feature or use an UPnP extension for it, but Mi Casa Verde didn't do this for VeraLite, he said.

VeraLite's UPnP functionality allows anyone located on the local network to execute arbitrary code on the device as root, the highest-privileged account type, giving them complete control over the system, the researcher said.

It is also possible to exploit this vulnerability from the Internet by launching a cross-protocol attack against a user who is on the same network as the device.

"If I know that someone has a VeraLite on their home network and they're at home, I can trick them into visiting a Web page that instructs their browser to set up a backdoor on their VeraLite device using UPnP," Crowley said.

Another thing that's concerning is a remote access feature in VeraLite that involves the device connecting via the Secure Shell (SSH) protocol to a remote forwarding server operated by the manufacturer, Crowley said. The user can then log in to the forwarding server via a remote Web interface and control their device, he said.

This architecture has security problems, because when the VeraLite connects to the forwarding server, the port is forwarded, Crowley said. "Connecting to a particular port on the forwarding server connects you to your VeraLite."

According to the researcher, this creates a single point of failure, because if an attacker managed to bypass the firewall protecting the forwarding server, he could get access to every VeraLite unit connected to it.

An attacker wouldn't necessarily need to compromise the forwarding server itself. Finding and exploiting a vulnerability in the Web interface or the Web server could be enough, Crowley said.

When these issues were reported to the manufacturer, the company responded that these are not vulnerabilities but intended features that exist by design, the researcher said.

It's an odd design to give users the option to create a log-in account and password and have different levels of access on the device, but then create a separate so-called feature that bypasses all of those security controls, he said.

Mi Casa Verde did not immediately respond to a request for comment sent via email.

Another product analyzed by the Trustwave researchers is called the Insteon Hub and is a network-enabled device that can control light bulbs, wall switches, outlets, thermostats, wireless Internet Protocol (IP) cameras and more.

"When you first set up the Insteon Hub, you're asked to set up port forwarding from the Internet to the device, so basically you're opening up access to it to anybody from the Internet," said David Bryan, a Trustwave researcher who reviewed the device after buying one to use in his house.

The Insteon Hub can be controlled from a smartphone application that sends commands to it over the local network or the Internet, he said.

When inspecting the traffic coming from his phone over the Internet and into the Insteon Hub, Bryan discovered that no authentication and no encryption was being used. Furthermore, there was no option to enable authentication for the Web service running on the Insteon Hub that receives commands, he said.

"This meant that anybody could have turned off my lights, turned on and off my thermostat, changed settings or [done] all sorts of things that I would expect to require some sort of authorization," Bryan said.

Attackers could use Google or the SHODAN search engine, or could perform port scans, to locate Insteon Hub devices connected to the Internet, Bryan said.

Insteon, the company in Irvine, California, that manufactures the device, was notified of the issue in December, according to the researcher. A new version of the product that uses basic authentication for the Web service was released in March, he said.

However, as far as Bryan knows, there is no method for users to update the firmware, so upgrading to the new version would involve getting a new device.

Insteon did not immediately respond to a request for comment sent via email.

The new version of Insteon Hub doesn't encrypt the traffic, and the password used for authentication can be easily decoded by an attacker who can intercept the traffic, Bryan said.

Furthermore, the password is based on a part of the device's MAC address. Getting a device's MAC address from the Internet is not possible, but it's easy to do from the local network, he said.

This means that if an attacker can break into a home's Wi-Fi network or into a local network computer, he can potentially gain access to an Insteon Hub device located on the same network.

Other devices that were found to have security issues included the Belkin WeMo Switch for power outlets, the Lixil Satis smart toilet, the Linksys Media Adapter, which is no longer being sold, and a radio thermostat.

Home automation systems are often connected to security devices, so they are part of the overall security of a home, Bryan said. Because of this, they should have security controls built into them, he said.

Companies that manufacture these systems are trying to get their products to market as fast as possible, and they often overlook security testing because it impedes that process, Bryan said. "I really hope that going forward, people will start to learn from these security issues, because it's very frustrating to me as a consumer to see products come out that aren't secure and I can easily break into, and then discover a large number of the same products on the Internet that have the same flaws."

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags intrusionconsumer electronicsMi Casa Verdetrustwavesecurityblack hatphysical securityAccess control and authenticationInsteon

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments


Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?